[SOLVED] Failed to execute PipelineAction::Create

alesabat · March 9, 2020, 6:45pm

Hi everyone!

I'm running ELK on docker. Everything works fine, but, since I added some grok patterns to my pipeline, logstash never start again.

This is the error message:

[2020-03-09T18:10:36,634][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "{", ",", "]" at line 57, column 103 (byte 752) after filter {\n\tgrok {\n\t\tmatch => { "message" => [ "(?%{MONTH:Mes} %{MONTHDAY:Dia}, %{YEAR:Anio} @ %{TIME:Hora}),"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2584:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:156:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:27:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in block in converge_state'"]}

And this is my pipeline configuration file

input {
beats {
port => 5046
}
}

filter {
grok {
match => { "message" => [ "(?%{MONTH:Mes} %{MONTHDAY:Dia}, %{YEAR:Anio} @ %{TIME:Hora}),""%{WORD:Id}"",""%{USERNAME:Index}"",(?%{NUMBER}|),""%{WORD:Type}"",""%{UUID:AgentEphemeralID}"",""%{USERNAME:AgentHostname}"",""%{UUID:AgentId}"",%{WORD:AgentType},""(?%{INT}.%{INT}.%{INT})"",""(?%{INT}.%{INT}.%{INT})"",""%{HOSTNAME:HostName}"",%{WORD:InputType},""%{PATH:LogFilePath}"",""(?%{INT},%{INT},%{INT})"","%{QUOTEDSTRING:Message}",""(?%{MONTH:Mes} %{MONTHDAY:Dia}, %{YEAR:Anio} @ %{TIME:Hora})"""; ] }
}
}

output {
if "app" in [tags] {
elasticsearch {
hosts => ["elasticsearch:9200"]
user => "elastic"
password => "changeme"
action => "index"
index => "app"
}
}
}

I understand there's some syntax error, but can't find it. I guess is a very tricky grok patterk because all of the ", but this is how messages are.

I'll very appreciate any help.

alesabat · March 9, 2020, 6:47pm

I tried wrapping pattern with " ", , but none of those worked.

Badger · March 9, 2020, 9:31pm

You need to either escape the double quotes within the pattern, or use single quotes to surround the pattern rather than double quotes.

alesabat · March 10, 2020, 11:40am

It worked! I just wrapped the grok pattern with single quotes and worked.

Thanks a lot!!

system · April 7, 2020, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.